ietf-822
[Top] [All Lists]

Re: 2 MIME questions re: message/rfc822

2004-11-05 11:38:32

Even modulo the 'From ' breakage, a correctly calculated signature
on canonical form won't survive software that decided to wrap a
long single-line Recieved: and make it into 3 or 4 shorter lines...

This begs the question of how long the line actually was. IMO a line inside a
multipart/signed that fits in the 998 SMTP limit should at least have had the
option of not being rewrapped. If OTOH, the line was longer than the SMTP
limit, then as I said before, I have no sympathy because this is yet another
case of sending agent misbehavior.

If such rewrapping is considered OK, then we really need to look
at fixing the PGP signature algorithm to consider all spans of
whitespace as equivalent (collapse down to single blank for signature
purposes, maybe?)

What's really needed is a generic way of computing a hash of a MIME object that
takes as many of these issues as possible into account. I've had the
specification of such a thing on my to-do list literally for years but I never
seem to find the time to finish writing it up.

Basically what you want to do is define a hash methodology that computes
separate hashes on leaf nodes in the MIME object and then combines those
separate hashes along with hashes of canonicalized headers and the MIME
structure itself in a specific way to arrive at a single result. The
advantages of this approach are numerous:

(1) Encodings can be changed without breaking signatures. (This can help
    with handling whitespace, and it makes it possible for signatures to
    survive 8->7 conversion.)
(2) Boundary markers can be changed without breaking signatures. (How
    to handle preamble and postamble text is an interesting side issue here.)
(3) A message store can cache hash values for large leaf objects and use
    the cache to quickly sign very large messages.
(4) Some sorts of header mangling can be tolerated.

So, is it time for me to finish the specification for this? Does anybody
care, and more to the point, will anybody actually implement it?

                                Ned